Post navigation

Vacation Rental Phishing Scams

I had a client of mine call me last week. He said someone tried to hijack his Homeaway vacation home rental listing and scam one of his potential renters by contacting the renter and acting as if they were my client (the property owner).

Anatomy of a Vacation Rental Scam

In a nutshell, this is how it happened. Because he rents his house for ~$5000/week, my client checks his emails obsessively during the height of the rental booking season. He told me that he had checked his email around 8:30 pm EST and did not check it again until the following morning.

First thing the next morning, he got a call from a woman interested in renting his house for a long weekend (as this is a weekly rental, he does not normally rent for just the weekend). The woman said that she wanted to talk to him about his email reply to her the night before. My client knew that he had not replied to this woman and while he was on the phone with her, he checked his email. Sure enough there was a Homeaway email inquiry from this woman that had come through around 10 pm the night before, but he had not replied back to her. Someone else did…

He asked her to please forward him the reply that she had received. She forwarded him the email and sure enough, the scammer had replied to the woman offering a 10% discount if she paid the whole rental fee (about $1100) up front.

Because she called my client directly before responding to the fake reply from the scammer, this scam was stopped dead in its tracks. If she hadn’t called my client, I am sure the next email from the scammer to the renter would have been about where to send the wire transfer to reserve the house for that long weekend.

How does the scam work?

Since my client’s Homeaway account was not hacked, there is really only one way this could have happened. My client’s email account (gmail) was hacked, plain and simple. How it was done? I am not entirely positive, but here’s how I would pull off a vacation rental phishing scam if I was a scammer.

Typical Gmail Phishing EmailThe “Secure Your Gmail Account” link would got to a webpage with a fake Gmail form that would hijack the account password.

Move to a foreign country where it is unlikely that you will be prosecuted for the crime outlined below.

Send the all the target owners a rental inquiry about renting the property via email through the vacation rental websites contact forms.

Wait for email replies from the owners of the properties.

From these emails, find out what time of day the owners are responding to vacation rental inquiries and what the owners are using for email accounts. (gmail, hotmail, yahoo, etc…)

Send the owner a phishing email and trick them into giving up their email account password.

Monitor the owners email account without causing any indication that the account has been hacked. (do not change the password)

Wait for other renters to inquire about the owner’s property.

Copy these rental inquiries to another email account and permanently delete the originals from the real owner’s email account, so they will never know about them.

Reply to these potential renters from another email account and try to cut a deal for the rental of the unsuspecting owner’s property.

Offer a deep discount if the person pays the full amount up front.

Receive the deposit or the full amount of the payment via wire transfer or certified check.

Repeat steps 2 through 13 above.

How we fixed my client’s problem

The first thing we did was change my client’s gmail password and turned on 2-step verification via SMS message to his cell phone. This way anytime someone tries to access his gmail account with the correct username and password he gets a text message on his phone with a code that must be entered to access the account.

Before he called me, he notified Homeaway of the issue. Homeaway immediately disabled his vacation rental listing and sent instructions for changing all his account information to a new email address we had set up for his vacation rental. All the passwords, security questions and contact email addresses were changed for his accounts and his listings were put back online.

How not to become a victim of vacation rental phishing scams

Property owners: Lock down your email accounts by turning on additional verification steps. Monitor your email account closely and if you think you should have gotten some property inquiries, but there are none in your email, check the contact email address in your account on the vacation rental website and the amount of inquiries to make sure they are not being hijacked or deleted from your email account.

Phishing attacks have gotten pretty sophisticated lately.

DON’T FALL FOR PHISHING EMAILS.

IF THERE IS ANY QUESTION, HIT DELETE.

IF IT IS AN ACCOUNT ISSUE, ALWAYS GO DIRECTLY TO THE WEBSITE AND DO NOT FOLLOW LINKS FROM EMAILS.

“… Based on a sample of 3 million users collected over a period of 3 months, approximately 45% of the time, users submitted their login information to the phishing site they visited …” – Source (pdf)

Renters: Try to contact the owner directly by phone instead of email. Most vacation rental sites will list the owners direct phone number. Do not rely solely on email if there are any red flags, like payment required by wire transfer, certified check, or a discount deal that sounds too good to be true.